It seems that the HTC Magic phone distributed by Vodafone in Spain that security researchers discovered recently was pre-loaded with the Mariposa bot client was not an isolated incident after all, as the concerned party had claimed. An employee of another Spanish security vendor found the same malware pre-installed on the same model phone this week bought directly from Vodafone.
The original story on the compromised HTC Magic distributed by Vodafone generated quite a lot of attention, and after the news spread last week, an employee of S21sec found the same Mariposa bot client pre-installed on a Magic that he had ordered from the Vodafone site the same week as the Panda Security researcher had bought hers. Vodafone and HTC both had said that the compromised Magic, which had apparently been opened, refurbished and loaded with the Mariposa malware then re-sold, was an isolated incident and not an indication of a larger problem.
But now Panda researcher Pedro Bustamante says that the same Mariposa malware was found on the phone bought by the S21sec employee, in precisely the same location on the microSD memory card, which is supplied by the mobile carrier, in this case, Vodafone.
He immediately contacted us and was kind enough to send us the
microSD card and allowed us to connect to his PC to analyze what had
happend. According to the dates of the files, it seems his Vodafone HTC
Magic was loaded with the Mariposa bot client on March 1st, 2010 at
19:07, a little over a week before the phone was delivered to him
directly from Vodafone.
This Mariposa botnet client is also loaded in the same hidden
NADFOLDER directory. It is also named as AUTORUN.EXE and will
automatically run when connected into a Windows machine unless you have
The Mariposa botnet client itself is exactly the same as reported
last week, with the same nickname and same Command & Control
In both cases, the malware was found on the microSD card and not on the phone’s file system. HTC did not immediately respond to a request for comment.
In a statement, Vodafone said they still believe the incidents to be limited to Spain.
“On behalf of our customers, Vodafone takes the security and quality of its products and services very seriously and there is an ongoing investigation into the issue. After an extensive Quality Assurance testing on HTC Magic handsets in several of our operating companies, indications are that this is a local incident in Spain. Vodafone keeps all of its security processes under constant review as new threats arise and we will take all appropriate actions to safeguard our customers’ privacy,” the company said.
After the first story about the compromised Magic handset broke, Vodafone said it was planning to discontinue sales of the Magic, at least in the UK, but said the decision was due to a natural evolution of technology.